Skip to content

Instantly share code, notes, and snippets.

@danrl
Last active May 21, 2024 22:53
Show Gist options
  • Save danrl/7028281 to your computer and use it in GitHub Desktop.
Save danrl/7028281 to your computer and use it in GitHub Desktop.
Very basic packet filters with non-atomic loading. Be careful!
#!/bin/bash
echo -n "loading ipv4 packet filter... "
### clear tables
iptables --flush
iptables --delete-chain
iptables --table mangle --flush
iptables --table mangle --delete-chain
### default policies
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
### loopback
iptables --append INPUT --in-interface lo --jump ACCEPT
iptables --append OUTPUT --out-interface lo --jump ACCEPT
### existing connections
iptables --append INPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
iptables --append OUTPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
### trashlog chain
iptables --new-chain trashlog
iptables --append trashlog --jump LOG --log-level notice --log-prefix "trashlog: "
iptables --append trashlog --jump DROP
### invalid packets
#iptables --append INPUT --match conntrack --ctstate INVALID --jump trashlog
iptables --append INPUT --match conntrack --ctstate INVALID --jump DROP
### icmp
# allow echo requests
iptables --append INPUT --protocol icmp --icmp-type echo-request --match conntrack --ctstate NEW --jump ACCEPT
# drop the rest
iptables --append INPUT --protocol icmp --jump DROP
### services
# ssh
iptables --append INPUT --protocol tcp --dport 22 --match conntrack --ctstate NEW --jump ACCEPT
# ssh obscured
iptables --append INPUT --protocol tcp --dport 5000 --match conntrack --ctstate NEW --jump ACCEPT
# random service
#iptables --append INPUT --protocol tcp --dport 1234 --match conntrack --ctstate NEW --jump ACCEPT
# reject the rest
iptables --append INPUT --jump REJECT
### outgoing
iptables --append OUTPUT --jump ACCEPT
echo "done!"
#!/bin/bash
echo -n "loading ipv6 packet filter... "
### clear tables
ip6tables --flush
ip6tables --delete-chain
ip6tables --table mangle --flush
ip6tables --table mangle --delete-chain
### default policies
ip6tables --policy INPUT DROP
ip6tables --policy OUTPUT DROP
ip6tables --policy FORWARD DROP
### loopback
ip6tables --append INPUT --in-interface lo --jump ACCEPT
ip6tables --append OUTPUT --out-interface lo --jump ACCEPT
### existing connections
ip6tables --append INPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
ip6tables --append OUTPUT --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
### trashlog chain
ip6tables --new-chain trashlog
ip6tables --append trashlog --jump LOG --log-level notice --log-prefix "trashlog: "
ip6tables --append trashlog --jump DROP
### invalid packets
#ip6tables --append INPUT --match conntrack --ctstate INVALID --jump trashlog
ip6tables --append INPUT --match conntrack --ctstate INVALID --jump DROP
### bad extensions headers
ip6tables --append INPUT --match rt --rt-type 0 --jump DROP
### icmpv6
# allow neighbor discovery and stateless address autoconfiguration
ip6tables --new-chain ndp-slaac
ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type router-solicitation --match hl --hl-eq 255 --jump ACCEPT
ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type router-advertisement --match hl --hl-eq 255 --jump ACCEPT
ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type neighbor-solicitation --match hl --hl-eq 255 --jump ACCEPT
ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type neighbor-advertisement --match hl --hl-eq 255 --jump ACCEPT
ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type redirect --match hl --hl-eq 255 --jump ACCEPT
ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type 130 --match hl --hl-eq 1 --jump ACCEPT
ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type 131 --match hl --hl-eq 1 --jump ACCEPT
ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type 132 --match hl --hl-eq 1 --jump ACCEPT
ip6tables --append ndp-slaac --protocol icmpv6 --icmpv6-type 143 --match hl --hl-eq 1 --jump ACCEPT
ip6tables --append INPUT --protocol icmpv6 --jump ndp-slaac
# allow echo requests
ip6tables --append INPUT --protocol icmpv6 --icmpv6-type echo-request --match conntrack --ctstate NEW --jump ACCEPT
# drop the rest
ip6tables --append INPUT --protocol icmpv6 --jump DROP
### services
# ssh
ip6tables --append INPUT --protocol tcp --dport 22 --match conntrack --ctstate NEW --jump ACCEPT
# ssh obscured
ip6tables --append INPUT --protocol tcp --dport 5000 --match conntrack --ctstate NEW --jump ACCEPT
# random service
#ip6tables --append INPUT --protocol tcp --dport 1234 --match conntrack --ctstate NEW --jump ACCEPT
# reject the rest
ip6tables --append INPUT --jump REJECT
### outgoing
ip6tables --append OUTPUT --jump ACCEPT
echo "done!"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment